Loading in 2 Seconds...

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein

Loading in 2 Seconds...

- 42 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein' - russell-ryan

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Control Plane Resilience: The Method of Strong Detection

Raj Kumar

Vishal Misra

Dan Rubenstein

Allerton, 9/28/06

Routing Protocols with Misconfigurations

- Routing Protocols in “friendly” environments are well understood, e.g.,
- Link State: global knowledge, centralized approach
- Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc.
- BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding
- Critical Assumption for correctness: Nodes follow the proper protocol procedure
- Q: What happens when nodes don’t follow the protocol like they’re supposed to?

7007

7074

6957

5165

2134

4345

History Shows: Misbehaving nodes can be a big problem- The infamous BGP AS 7007 Incident:
- Consider routes to node 8765

…

Traffic goes where it is supposed to

7007

7074

6957

5165

2134

4345

Nodes don’t always “behave”- The infamous BGP AS 7007 Incident:

…

Traffic enters “black hole”

Can I tell if my neighbors are giving me the correct information?

Theory to detect “Bad” Nodes- Rules:
- “Bad” nodes can cheat, “Good” nodes can attempt to detect the bad nodes
- “Good” nodes must limited to information provided by the routing protocol
- Want to exchange additional info, modify the protocol
- Challenge: When can a good node determine something isn’t right?

B

D

E

A Node’s Info: Its State- A node’s state is its (only) view of the network
- e.g., Distance-Vector (a.k.a. Bellman-Ford)

C

F

G

Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)

Prior Work: “Weak” Detection

- Process for constructing a weak detection method:
- Find a property that a node’s state should exhibit
- Check the property in a node’s state
- Declare misconfiguration in network if property is violated
- A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)

A Weak Detection Method: Symmetry

- In an undirected graph, D(X,Y) = D(Y,X)
- Here, D(A,B) = 1
- But D(B,A) = 4
- Using symmetry, found a misconfiguration
- So why is Symmetry weak?

Another Weak Detection Method: Triangle Inequality [DMZ’03]

- Triangle inequality should hold:

D(X,Z) ≤ D(X,Y) + D(Y,Z)

- Violated here:
- D(B,E) = 3
- D(B,A) = 1
- D(A,E) = 1
- D(B,E) > D(B,A) + D(A,E)
- Note: symmetry property not violated

- Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration
- So why is triangle inequality weak?

Weakness of Triangle Inequality

A

- Suppose graph edge lengths are all 1
- No violation of symmetry or triangle inequality

C

B

Where to place edges?

A and B are our neighbors

C is distance 1 from B

D is distance 3 from both A & B: nowhere to put connecting edge

“Strong” Detection

- A detection method is “strong” if it always detects detectable misconfigurations
- More formally, Let
- μ be a method to detect misconfigurations
- C = {N} be the set of valid networks (what the network might look like)
- NR: the actual network (Note NRє C)
- sn(N) is state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C
- s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR
- μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR):
- Detected: μ detects that sn(NR) ≠ s’n(NR)
- Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)

A High-Complexity Strong Detection Algorithm

- Input:
- State s’n(NR) of node n for the “real” but unknown network NR
- Description of set of allowable networks, C = {N}
- Algorithm: For each N є C
- Compute sn(N)
- If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network)
- If no N є C matches, then misconfiguration detected

Algorithm Complexity is Ω(C), often huge!

Low-Complexity Strong-Detection

- Q: Can Strong Detection be achieved with low complexity?
- A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector)

Strong Detection for D.V.

- Input at node n:
- S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes
- Set C of all allowable networks
- defined by {Axy}: Axy is the set of allowable lengths of edges between node x and y
- E.g., Axy = [0,3) U [4,4] U [7,100]

S’n(NR)

F

G

A

B

C

n

G

E

B

C

n

E

F

D

A

M

Strong Detection in D.V. at a node, n- Take node n’s state, s’n(NR)
- Use this state to build the canonical graph, M є C
- Simulate D.V. on M to generate simulated state sn(M)
- We will prove:
- If sn(M) ≠ s’n(NR), then misconfiguration detected
- Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because M might be the actual network

s’n (NR)

sn(M)

Creating the Canonical Graph, M for an undirected network

- For each pair of nodes (x,y):
- Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
- exy = ∞ if all values in Axy too small
- Consider state table on left
- eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7
- If ACD = [1,1] U [4,6] U [8,10], then eCD = 8

Proving Strongness of the Canonical Graph Method

- N: a network for which sn(N) = s’n(NR), when such a network N exists
- M: the canonical graph constructed by n from s’n(NR)
- fxy: length of edge (x,y) in N (when the edge exists)
- exy: length of edge (x,y) in M (edges always exist)
- dG(x,y): shortest path distance from x to y in network G
- Assume: all edges have positive length (easy to extend when edges can also have length 0)
- High Level Sketch of Proof:
- If N exists where sn(N) = s’n(NR), then sn(M) = sn(N) = s’n(NR)
- If N does not exist, then sn(M) ≠ s’n(NR)

v

Bounds on exy- Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy
- Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy
- Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy
- Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
- Since N є C, we have fxy є Axy and so exy ≤ fxy

y

x

fxy

exy

y

y

x

fxy

- Lemma 2: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≤ dN(v,x) for all neighbors v and all nodes x
- Proof: by contradiction. Select x with smallest dN(v,x) where dM(v,x) > dN(v,x)
- Let y be a preceding node on a shortest path from v to x in N: fxy is the edge connecting y to x on this path, so dN(v,y) < dN(v,x) and |dN(v,x) – dN(v,y)| = fxy
- dN(v,y) < dN(v,x), hence y not blue dM(v,y) ≤ dN(v,y), so dM(v,y) ≤ dN(v,y) < dN(v,x) < dM(v,x)
- fxy = |dN(v,x) – dN(v,y)| < |dM(v,x) – dM(v,y)| ≤ exy

Blue nodes t satisfydM(v,t) > dN(v,t)

v

x

n

Distance from v in N

Contradicts Lemma 1 (which states exy ≤ fxy)!!

v

y

y

exy

x

Blue nodes t satisfydM(v,t) < dN(v,t)

- Lemma 3: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≥ dN(v,x) for all neighbors v and all nodes x
- Proof: by contradiction. Select x with smallest dM(v,x) where dM(v,x) < dN(v,x)
- Let y be the node preceding x on a shortest path from v to x in M where edge exy connects y to x on this path: hence dM(v,y) < dM(v,x) and exy = dM(v,x) - dM(v,y)
- dM(v,y) < dM(v,x), hence y not blue dM(v,y) ≥ dN(v,y)
- Hence exy = dM(v,x) - dM(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) |

x

n

Distance from v in M

But exy = maxm |dN(m,x) – dN(m,y)|, and

maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !! Contradiction!

The Main Result

- Some N є C produces state sn(N) = s’n(NR) sn(M) = s’n(NR)
- Proof:
- Follows from Lemma 2 (dM(v,x) ≤ dN(v,x))and Lemma 3(dM(v,x) ≥ dN(v,x))
- If no N є C produces state s’n(N), since M є C, M cannot produce state = s’n(N)
- In other words, only need to check if sn(M) = s’n(NR)
- Complexity: O(|V|3)
- Construct the canonical graph, M
- Simulate Bellman-Ford
- Compare State Tables

Extensions / Future Directions

- Same idea works for:
- Directed graphs
- Using state info from a set of trusted nodes
- Similar canonical graph construction works for path-vector variants
- Future Directions:
- Identifying the offending node (not just its existence)
- Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)

Download Presentation

Connecting to Server..